package org.apache.cxf.rs.security.saml.sso;

import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.UnsupportedEncodingException;
import java.net.URI;
import java.util.Date;
import java.util.ResourceBundle;
import java.util.UUID;
import java.util.logging.Level;
import java.util.logging.Logger;
import java.util.zip.DataFormatException;
import javax.annotation.PreDestroy;
import javax.ws.rs.WebApplicationException;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.Response;
import org.apache.cxf.Bus;
import org.apache.cxf.common.i18n.BundleUtils;
import org.apache.cxf.common.i18n.Message;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.common.util.Base64Exception;
import org.apache.cxf.common.util.Base64Utility;
import org.apache.cxf.common.util.StringUtils;
import org.apache.cxf.jaxrs.ext.MessageContext;
import org.apache.cxf.jaxrs.utils.ExceptionUtils;
import org.apache.cxf.rs.security.saml.DeflateEncoderDecoder;
import org.apache.cxf.rs.security.saml.sso.state.RequestState;
import org.apache.cxf.rs.security.saml.sso.state.ResponseState;
import org.apache.cxf.staxutils.StaxUtils;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.saml.OpenSAMLUtil;
import org.apache.wss4j.common.util.DOM2Writer;
import org.w3c.dom.Document;

/* loaded from: input_file:org/apache/cxf/rs/security/saml/sso/AbstractRequestAssertionConsumerHandler.class */
public abstract class AbstractRequestAssertionConsumerHandler extends AbstractSSOSpHandler {
    private static final Logger LOG = LogUtils.getL7dLogger(AbstractRequestAssertionConsumerHandler.class);
    private static final ResourceBundle BUNDLE = BundleUtils.getBundle(AbstractRequestAssertionConsumerHandler.class);
    private boolean supportDeflateEncoding = true;
    private boolean supportBase64Encoding = true;
    private boolean enforceAssertionsSigned = true;
    private boolean enforceKnownIssuer = true;
    private boolean keyInfoMustBeAvailable = true;
    private boolean enforceResponseSigned;
    private TokenReplayCache<String> replayCache;
    private MessageContext messageContext;

    @Context
    public void setMessageContext(MessageContext messageContext) {
        this.messageContext = messageContext;
    }

    public void setSupportDeflateEncoding(boolean z) {
        this.supportDeflateEncoding = z;
    }

    public boolean isSupportDeflateEncoding() {
        return this.supportDeflateEncoding;
    }

    public void setReplayCache(TokenReplayCache<String> tokenReplayCache) {
        this.replayCache = tokenReplayCache;
    }

    public TokenReplayCache<String> getReplayCache() {
        if (this.replayCache == null) {
            this.replayCache = new EHCacheTokenReplayCache((Bus) this.messageContext.getContextualProperty(Bus.class.getName()));
        }
        return this.replayCache;
    }

    public void setEnforceAssertionsSigned(boolean z) {
        this.enforceAssertionsSigned = z;
    }

    public void setEnforceKnownIssuer(boolean z) {
        this.enforceKnownIssuer = z;
    }

    public void setSupportBase64Encoding(boolean z) {
        this.supportBase64Encoding = z;
    }

    public boolean isSupportBase64Encoding() {
        return this.supportBase64Encoding;
    }

    @Override // org.apache.cxf.rs.security.saml.sso.AbstractSSOSpHandler
    @PreDestroy
    public void close() {
        if (this.replayCache != null) {
            try {
                this.replayCache.close();
            } catch (IOException e) {
                LOG.warning("Replay cache can not be closed: " + e.getMessage());
            }
        }
        super.close();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Response doProcessSamlResponse(String str, String str2, boolean z) {
        RequestState processRelayState = processRelayState(str2);
        return Response.seeOther(getTargetURI(processRelayState.getTargetAddress())).header("Set-Cookie", createSecurityContext(processRelayState, str, str2, z)).build();
    }

    private URI getTargetURI(String str) {
        if (str != null) {
            try {
                return URI.create(str);
            } catch (IllegalArgumentException e) {
                reportError("INVALID_TARGET_URI");
            }
        } else {
            reportError("MISSING_TARGET_URI");
        }
        throw ExceptionUtils.toBadRequestException((Throwable) null, (Response) null);
    }

    protected String createSecurityContext(RequestState requestState, String str, String str2, boolean z) {
        org.opensaml.saml2.core.Response readSAMLResponse = readSAMLResponse(z, str);
        validateSamlResponseProtocol(readSAMLResponse);
        SSOValidatorResponse validateSamlSSOResponse = validateSamlSSOResponse(z, readSAMLResponse, requestState);
        String uuid = UUID.randomUUID().toString();
        long currentTimeMillis = System.currentTimeMillis();
        Date sessionNotOnOrAfter = validateSamlSSOResponse.getSessionNotOnOrAfter();
        getStateProvider().setResponseState(uuid, new ResponseState(validateSamlSSOResponse.getAssertion(), str2, requestState.getWebAppContext(), requestState.getWebAppDomain(), currentTimeMillis, sessionNotOnOrAfter != null ? sessionNotOnOrAfter.getTime() : currentTimeMillis + getStateTimeToLive()));
        return createCookie(SSOConstants.SECURITY_CONTEXT_TOKEN, uuid, requestState.getWebAppContext(), requestState.getWebAppDomain());
    }

    protected RequestState processRelayState(String str) {
        if (str == null) {
            reportError("MISSING_RELAY_STATE");
            throw ExceptionUtils.toBadRequestException((Throwable) null, (Response) null);
        }
        if (str.getBytes().length == 0 || str.getBytes().length > 80) {
            reportError("INVALID_RELAY_STATE");
            throw ExceptionUtils.toBadRequestException((Throwable) null, (Response) null);
        }
        RequestState removeRequestState = getStateProvider().removeRequestState(str);
        if (removeRequestState == null) {
            reportError("MISSING_REQUEST_STATE");
            throw ExceptionUtils.toBadRequestException((Throwable) null, (Response) null);
        }
        if (!isStateExpired(removeRequestState.getCreatedAt(), 0L)) {
            return removeRequestState;
        }
        reportError("EXPIRED_REQUEST_STATE");
        throw ExceptionUtils.toBadRequestException((Throwable) null, (Response) null);
    }

    private org.opensaml.saml2.core.Response readSAMLResponse(boolean z, String str) {
        InputStream byteArrayInputStream;
        if (StringUtils.isEmpty(str)) {
            reportError("MISSING_SAML_RESPONSE");
            throw ExceptionUtils.toBadRequestException((Throwable) null, (Response) null);
        }
        if (isSupportBase64Encoding()) {
            try {
                byte[] decode = Base64Utility.decode(str);
                byteArrayInputStream = (z || !isSupportDeflateEncoding()) ? new ByteArrayInputStream(decode) : new DeflateEncoderDecoder().inflateToken(decode);
            } catch (Base64Exception e) {
                throw ExceptionUtils.toBadRequestException(e, (Response) null);
            } catch (DataFormatException e2) {
                throw ExceptionUtils.toBadRequestException(e2, (Response) null);
            }
        } else {
            try {
                byteArrayInputStream = new ByteArrayInputStream(str.getBytes("UTF-8"));
            } catch (UnsupportedEncodingException e3) {
                throw ExceptionUtils.toBadRequestException(e3, (Response) null);
            }
        }
        try {
            Document read = StaxUtils.read(new InputStreamReader(byteArrayInputStream, "UTF-8"));
            LOG.fine("Received response: " + DOM2Writer.nodeToString(read.getDocumentElement()));
            try {
                org.opensaml.saml2.core.Response fromDom = OpenSAMLUtil.fromDom(read.getDocumentElement());
                if (fromDom instanceof org.opensaml.saml2.core.Response) {
                    return fromDom;
                }
                throw ExceptionUtils.toBadRequestException((Throwable) null, (Response) null);
            } catch (WSSecurityException e4) {
                throw ExceptionUtils.toBadRequestException(e4, (Response) null);
            }
        } catch (Exception e5) {
            throw new WebApplicationException(400);
        }
    }

    protected void validateSamlResponseProtocol(org.opensaml.saml2.core.Response response) {
        try {
            SAMLProtocolResponseValidator sAMLProtocolResponseValidator = new SAMLProtocolResponseValidator();
            sAMLProtocolResponseValidator.setKeyInfoMustBeAvailable(this.keyInfoMustBeAvailable);
            sAMLProtocolResponseValidator.validateSamlResponse(response, getSignatureCrypto(), getCallbackHandler());
        } catch (WSSecurityException e) {
            LOG.log(Level.FINE, e.getMessage(), e);
            reportError("INVALID_SAML_RESPONSE");
            throw ExceptionUtils.toBadRequestException((Throwable) null, (Response) null);
        }
    }

    protected SSOValidatorResponse validateSamlSSOResponse(boolean z, org.opensaml.saml2.core.Response response, RequestState requestState) {
        try {
            SAMLSSOResponseValidator sAMLSSOResponseValidator = new SAMLSSOResponseValidator();
            sAMLSSOResponseValidator.setAssertionConsumerURL(this.messageContext.getUriInfo().getAbsolutePath().toString());
            sAMLSSOResponseValidator.setClientAddress(this.messageContext.getHttpServletRequest().getRemoteAddr());
            sAMLSSOResponseValidator.setIssuerIDP(requestState.getIdpServiceAddress());
            sAMLSSOResponseValidator.setRequestId(requestState.getSamlRequestId());
            sAMLSSOResponseValidator.setSpIdentifier(requestState.getIssuerId());
            sAMLSSOResponseValidator.setEnforceAssertionsSigned(this.enforceAssertionsSigned);
            sAMLSSOResponseValidator.setEnforceResponseSigned(this.enforceResponseSigned);
            sAMLSSOResponseValidator.setEnforceKnownIssuer(this.enforceKnownIssuer);
            if (z) {
                sAMLSSOResponseValidator.setReplayCache(getReplayCache());
            }
            return sAMLSSOResponseValidator.validateSamlResponse(response, z);
        } catch (WSSecurityException e) {
            reportError("INVALID_SAML_RESPONSE");
            throw ExceptionUtils.toBadRequestException(e, (Response) null);
        }
    }

    protected void reportError(String str) {
        LOG.warning(new Message(str, BUNDLE, new Object[0]).toString());
    }

    public void setKeyInfoMustBeAvailable(boolean z) {
        this.keyInfoMustBeAvailable = z;
    }

    public boolean isEnforceResponseSigned() {
        return this.enforceResponseSigned;
    }

    public void setEnforceResponseSigned(boolean z) {
        this.enforceResponseSigned = z;
    }
}
